Employees Gambling with Corporate Data by Installing Digital Gambling Apps on Mobile Devices Used for Work

BURLINGTON, Mass. — September 2, 2015 — Veracode, a leader in protecting enterprises from today’s pervasive web and mobile application threats, today released analytics from its cloud-based platform showing that, based on its analysis of hundreds of thousands of scans of mobile apps installed in actual corporate environments, the average global enterprise has multiple gambling apps installed in its mobile environment. In fact, some environments were found to contain as many as 35 unique gambling apps. Many of these apps contain adware as well as critical vulnerabilities, such as weak encryption, enabling cyberattackers to gain access to contacts, emails, call history, and phone locations as well as to record phone conversations.

The use of mobile gambling applications is growing exponentially. Juniper Research estimates that smartphone and tablet owners will place upwards of $60 billion in bets by 2018 using casino-type gambling apps — roughly five times the current size of the overall mobile gaming market[1]. Another telling data point is that spending on casino and card games for Android was up 105 percent from November 2013 to November 2014[2].

At the same time, Gartner estimates that 75 percent of mobile apps will fail basic security tests through 2015[3]. While some of this is due to sloppy programming and the use of insecure open source and third-party libraries, cybercriminals and nation-states are also constantly looking to exploit insecure apps in order to steal corporate intellectual property, track high-profile individuals and/or dissidents, and insert aggressive adware for monetary gain. In addition, free apps typically incorporate advertising software development kits (SDKs) that monetize by sending user data such as identity and location to advertising servers located around the world.

Veracode has identified a number of unsafe slots, poker, black jack and bingo apps, including examples of vulnerabilities and malware such as the following:

A popular casino app checks to see if a device is rooted or jailbroken, thereby determining if the app has the ability to install additional functionality enabling it to disable anti-malware, replace firmware or view cached credentials such as banking passwords. Additionally this app has the capability to record audio and video and access user identity information, and it can be exploited using a man-in-the-middle (MITM) attack that allows cyberattackers to eavesdrop and even alter network communication.

A major slots app communicates with its back-end cloud services using unencrypted HTTP rather than the more secure HTTPS protocol. This can be used to build a target profile by revealing sensitive demographic data such as gender, birthday and last login timestamp. Further analysis reveals that the app also downloads up to 24 megabytes of encrypted data from servers located outside the US — without the user’s permission — indicating that it can potentially install malicious software on the fly.

Ten digital gambling apps — including Gold Fish Casino Slots, Jackpot Party Casino and Texas Poker — can read, write and delete local files as well as directly access network functions such as creating connections to arbitrary servers and receiving data from any source.

Analytics from Veracode’s cloud-based platform also reveal that more than three-quarters of all mobile apps fail basic security policies such as the Mobile OWASP Top 10. Further industry research shows that top attacks include Remote Access Trojans (RATs) for accessing user data, man-in-the-middle (MITM) attacks due to weak cryptography, ransomware that restricts access to devices until the ransom is paid, and fake certificates that enable attackers to side-load malicious apps.

“Like it or not, corporate users are installing risky apps on their mobile devices, thereby increasing the attack surface and putting corporate data at risk as well as compromising the security of high-profile employees such as executives,” said Theodora Titonis, VP of mobile security at Veracode. “Manual approaches for addressing unsafe mobile apps, such as manual pen testing and manually-curated blacklists, are difficult to scale because of the sheer size, complexity and constantly-changing nature of the problem. As a result, they either fail to keep up with mobile threats or frustrate employees by prohibiting apps arbitrarily.”

Enterprises can reduce risk by implementing automated application blacklisting and other policy-based controls via standard MDM/EMM solutions from vendors such as MobileIron, AirWatch by VMware, and Fiberlink, an IBM company. These MDM/EMM solutions are currently integrated with Veracode’s cloud-based reputation intelligence service via APIs, leveraging risk profiles from hundreds of thousands of scans of mobile applications that are continually being assessed using advanced behavioral analysis and machine-learning technology.

About Thoma Bravo, LLC

Thoma Bravo is a leading private equity firm focused on the software and technology-enabled services sectors. With a series of funds representing more than $30 billion in capital commitments, Thoma Bravo partners with a company’s management team to implement operating best practices, invest in growth initiatives and make accretive acquisitions intended to accelerate revenue and earnings, with the goal of increasing the value of the business. Representative past and present portfolio companies include industry leaders such as ABC Financial, Blue Coat Systems, Deltek, Digital Insight, Frontline Education, Global Healthcare Exchange, Hyland Software, Imprivata, iPipeline, PowerPlan, Qlik, Riverbed, SailPoint, SolarWinds, SonicWall, Sparta Systems and TravelClick. The firm has offices in San Francisco and Chicago. For more information, visit thomabravo.com.

About Veracode

Veracode is a leader in helping organizations secure the software that powers their world. Veracode’s SaaS platform and integrated solutions help security teams and software developers find and fix security-related defects at all points in the software development lifecycle, before they can be exploited by hackers. Our complete set of offerings help customers reduce the risk of data breaches, increase the speed of secure software delivery, meet compliance requirements, and cost effectively secure their software assets- whether that’s software they make, buy or sell.

Veracode serves more than 2,000 customers across a wide range of industries, including nearly one-third of the Fortune 100 and more than 20 of Forbes’ 100 Most Valuable Brands.

Cookie Use

We use cookies to collect information to help us personalise your experience and improve the functionality and performance of our site. By continuing to use our site [without first changing your browser setting], you consent to our use of cookies. For more information see our cookies policy.

Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.